50716abdde2a383ed8c5da0c10d7c42e52a0d1c7b38878f1b130d08e13d5c5a5 | Triage

Analysis

max time kernel
133s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
19-04-2022 02:37

Sharing

Report Analysis Logs

General

Target

Trojan.Ransom.exe
Size

49KB
MD5

46bfd4f1d581d7c0121d2b19a005d3df
SHA1

5b063298bbd1670b4d39e1baef67f854b8dcba9d
SHA256

683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96
SHA512

b52aa090f689765d099689700be7e18922137e7a860a00113e3f72aa6553e94a870bbb741e52de9617506a236a2a59198fb224fcd128576d76642eec9d715df5

Score

5^/10

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

Processes:

Trojan.Ransom.exe

description pid process target process

PID 4484 set thread context of 4456 4484 Trojan.Ransom.exe Trojan.Ransom.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4724 4456 WerFault.exe Trojan.Ransom.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

Trojan.Ransom.exe

description	pid	process	target process
PID 4484 wrote to memory of 4456	4484	Trojan.Ransom.exe	Trojan.Ransom.exe
PID 4484 wrote to memory of 4456	4484	Trojan.Ransom.exe	Trojan.Ransom.exe
PID 4484 wrote to memory of 4456	4484	Trojan.Ransom.exe	Trojan.Ransom.exe
PID 4484 wrote to memory of 4456	4484	Trojan.Ransom.exe	Trojan.Ransom.exe
PID 4484 wrote to memory of 4456	4484	Trojan.Ransom.exe	Trojan.Ransom.exe
PID 4484 wrote to memory of 4456	4484	Trojan.Ransom.exe	Trojan.Ransom.exe
PID 4484 wrote to memory of 4456	4484	Trojan.Ransom.exe	Trojan.Ransom.exe
PID 4484 wrote to memory of 4456	4484	Trojan.Ransom.exe	Trojan.Ransom.exe
PID 4484 wrote to memory of 4456	4484	Trojan.Ransom.exe	Trojan.Ransom.exe

C:\Users\Admin\AppData\Local\Temp\Trojan.Ransom.exe
"C:\Users\Admin\AppData\Local\Temp\Trojan.Ransom.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4484
- C:\Users\Admin\AppData\Local\Temp\Trojan.Ransom.exe
  "C:\Users\Admin\AppData\Local\Temp\Trojan.Ransom.exe"
  2⤵
  PID:4456
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 340
    3⤵
    - Program crash
    PID:4724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4456 -ip 4456
1⤵
PID:1280

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4456-130-0x0000000000000000-mapping.dmp

Download
memory/4456-131-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4456-132-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4456-134-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/4456-136-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download